SRX Services Gateway
Reply
Contributor
aeroplane
Posts: 724
Registered: ‎06-30-2009
0

Security Policies best practice for HUB and SPOKE IPSEC VPN

Hi Experts

 

I have SRX3600 cluster on HUB site and SRX240 at spokes sites. All the VPN are route based VPN. There are two communications for these VPN.

 

1- SPOKE to SPOKE through HUB

2- SPOKE to HUB

3- HUB to SPOKE

 

Now if we take SPOKE-1 to SPOKE-2 communication then there are three points where we have to make security policies.

1- On SPOKE-1 from zone Trust to VPN

2- On HUB from VPN to VPN

3- On SPOKE-2 frm zone VPN to Trust

 

My question is that, where I need to do hardening. I mean what is the best practice to make such policies. My idea is that on spokes. I will make Trust to VPN, all allow and similaryly VPN to Trust, all allow. Then on HUB, I will make VPN to VPN more specific policies to control applications etc.

 

Some body can tell me more good option?

 

Thanks

Distinguished Expert
spuluka
Posts: 2,610
Registered: ‎03-30-2009
0

Re: Security Policies best practice for HUB and SPOKE IPSEC VPN

I don't know if there is necessarily a right/best way to do this.

 

But I prefer to place the most restrictive policy on the firewall closest to the protected resource.  So if the device that needs restrictions is in spoke 2 the most restrictive policy is no the spoke 2 firewall.

 

The reason I do it this way, is if there are connectivity problems there are frequently many sources of the traffic but only one destination.  So if the most restrictive rules are always next to the destination I know where to go for troubleshooting.

Steve Puluka BSEET
Juniper Ambassador
Senior Network Engineer - UPMC Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC
JNCIS-FWV JNCIS-SSL
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Contributor
ed_gpc
Posts: 195
Registered: ‎09-21-2010
0

Re: Security Policies best practice for HUB and SPOKE IPSEC VPN

I'm with spuluka on that one.

 

Also, if you have your restrictive policy on the spokes, you can potentially reduce the un-needed bandwidth usage for it to just be dropped at the hub anyways

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.